Tag: Pegasus

another telegram channel another public targeting campaign [updated March 9]

Posted on by aiw_admin

[Update] On March 9, Hajiyev told his lawyer, that the messages leaked were fabricated, while some were more than ten years old. The imprisoned activist also said, he suspects his device was infected with Pegasus and this is how the authorities were able to extract the information they have been disseminating online via Telegram channels. Rufat Safarov, a rights defender who heads the campaign calling for Hajiyev’s release said the blackmail campaign targeting Hajiyev aimed to discredit the activist, according to reporting by Turan News Agency.

Az-Net Watch documented numerous examples when civic activists were targeted via Telegram channels in the past. Often these channels are public and share private information and/or intimate content of the person targeted. Not once, attempts to investigate how the leaked data made it into these channels were successful. While targeted activists suspect the information was leaked by officials these suspicions were often either dismissed or unaddressed. So it was not at all surprising that yet another blackmail campaign has been making rounds on Telegram.

The channel originally called “Baktiyar’s exposure” was first discovered on February 24. Since then, the channel has been renamed to “Bakhtiyar Hajiyev Expose.” The first channel shared Hajiyev’s intimate photographs. The new one has videos of his correspondence with women. By the time this story was revisited AIW counted at least six different Telegram channels targeting Hajiyev.

His friends and colleagues suspect that these were extracted from his mobile device. Hajiyev currently is in administrative detention. He was arrested on December 9 and originally sentenced to 50 days in administrative detention. Since then, his detention period has been extended, most recently on February 23, 2023, by another two months. Meanwhile, the Interior Ministry denied allegations that they were somehow involved in the information being leaked.

According to reporting by Turan News Agency, the Ministry of Interior attempted to frame Hajiyev, alleging, it was the activist who leaked this information online. However that is impossible, says Rufat Safarov, the head of the Defense Line initiative that was set up shortly after Hajiyev’s arrest. Speaking to Turan News Agency, Safarov said, “Bakhtiyar has been behind bars since December. How could he possibly distribute this information online? His personal information was stolen and leaked purposefully to discredit him.”

In October of last year, the founder of Az-Net Watch, co-authored this story for IWPR explaining how Telegram is being used in Azerbaijan. “In Azerbaijan, the app has become a nexus for hate speech, propaganda, and the repression of dissent. In March 2021, multiple Telegram groups were identified in Azerbaijan sharing sex tapes and nude photographs of women. Among the victims were journalists, civic activists, and female family members of exiled political activists as well as ordinary women. The groups and pictures were reported to Telegram, but it took weeks before they were taken down. The damage to the women targeted was done. The channels shared sensitive videos of journalist Fatima Movlamli, the sister of exiled dissident blogger Mahammad Mirzali, civic activist Narmin Shahmarzade and Gunel Hasanli, daughter of opposition party leader Jamil Hasanli.”

Telegram’s “content moderation” problems

In 2021, Telegram’s founder Pavel Durov in a post on his channel justified why the platform won’t censor misinformation: “In my 20 years of managing discussion platforms, I noticed that conspiracy theories only strengthen each time their content is removed by moderators.” Meanwhile, the platform’s Vice President Ilya Perekopsky boasted about the platform’s neutrality when it came to content moderation, and specifically misinformation: “we just think people should have their opinion, right? If they disagree they can disagree. They can use telegram to express their opinions. From our side, we always stay neutral.”

In the case of imprisoned Hajiyev, this lax approach to content moderation or lack thereof has already caused significant damage to his reputation but it has also revealed the poor editing and fabrication skills of the people behind this blackmail campaign. Azerbaijani journalist Ulviyya Ali, shared the screenshots from the videos of chat conversations Hajiyev allegedly had with women, which were shared in some of the Telegram channels targeting Hajiyev.

Targeting women 

Activists in Azerbaijan also pointed out that it is not Hajiyev’s reputation that is placed on the line with this blackmail campaign, but the women too, whose photographs are shared in the absence of their consent. Last year BBC published this investigation about the use of the platform in targeting women specifically “to harass, shame and blackmail them on a massive scale.” Gulnara Mehdiyeva, a feminist activist who has been ttargeted herself in the past, said in a Facebook post on February 28, “Terrible things are happening in the country. The government, which is responsible for protecting the safety of citizens, deliberately and knowingly wants to make those women victims of suicide or murder.” Two years ago, Mehdiyeva was targeted in a video shared via Facebook, containing a series of leaked private audio messages, that were extracted from Mehdiyeva’s social media accounts and emails. In a February 28 Facebook post, Mehdiyeva also wrote that not only faces of these women were not blurred but the perpetrators of the blackmail campaign also shared the names of the women and at least in one correspondence leaked, the home address of one woman. One of the women whose identity has been exposed in this campaign, was Tunay Aliyeva, an actress and model who said this blackmail campaign was a “cybercrime and invasion of people’s privacy.” In a letter addressed to the First Lady and the First Vice President Mehriban Aliyev, the actress asked that the First Lady personally stepped in, as a woman and a mother herself, in order to put an end to this “abomination.”

At the time of writing this update, at least six groups were still active on Telegram. A source told AIW that one of the women had to escape her family after the latter learned of what has happened. The woman’s brother is allegedly after her to clean the family’s reputation.  

 

A year in review – from online attacks to overall environment of internet censorship in Azerbaijan

Posted on by aiw_admin

The following overview covers some of the prolific trends which illustrate the scope of digital authoritarianism and information controls in Azerbaijan observed and documented in the past year. 

Introduction 

This report covers the online attacks targeting personal information and devices of human rights defenders, activists, and democracy advocates in 2022. The data is collected through media monitoring and information that was made available by targeted individuals who received support and assistance in mitigating the targeting.  

Overall, 2022 has been no different than recent years in terms of online attacks and internet censorship observed in Azerbaijan. Activists, human rights defenders, and democracy advocates received phishing attacks and were summoned to law-enforcement bodies for criticism voiced online where their personal data and devices were often interfered with in the absence of the owner’s consent. 

In some cases, there were reported hacking attempts and installed spyware programs. In January – December 2022, we observed overall 10 such cases.

Hacking and phishing attacks usually targeted the social media and email accounts of targeted community members. These were possible through the interception of SMS messages (set up as 2FA). In fact, SMS interception has been the main practice, leading to the hacking of scores of personal accounts, the paralyzation of social media accounts, the deletion of online posts, and the dissemination of personal information belonging to the targets.

Among some of the prominent cases was political activist Bakhtiyar Hajiyev whose social media accounts were targeted on multiple accounts. Hajiyev was also kidnapped twice in April and August 2022 and he was taken to the law-enforcement bodies. Police gained access to his social media accounts by force and removed posts that were critical of the authorities and state institutions. Hajiyev was arrested on December 9, on bogus charges, and sentenced to 50 days in administrative detention [shortly after his arrest Hajiyev announced he was going on a hunger strike. According to media reports, he stopped the strike on December 29, 2022]. 

Another civil society member, Imran Aliyev was also kidnapped by the Main Department for Combatting Organized Crime where his devices and social media accounts were compromised against his will.

Abulfaz Gurbanli, also an active member of civil society, was phished through an email and WhatsApp messages in February 2022. A file disguised as grant-related information from a known donor organization containing a virus was sent to Gurbanli via his email. On WhatsApp, the activist received a message from someone impersonating herself as a BBC Azerbaijan Service journalist. The targeting resulted in the installation of spyware on his device and the hacking of his social media accounts. 

At the time, Az-Net Watch requested assistance from Qurium media to analyze the link shared in the email and despite the journalist’s assurances, the link did contain a virus. “The mail pointed to a RAR compressed file in Google Drive that once downloaded required a password to be decrypted. The password to decrypt the file was included in the phishing e-mail: bbc. Compressed files that are password protected are common in malware phishing attacks as the files can not be scanned by antivirus,” concluded Qurium in its preliminary report. The further forensic report identified malware written in AutoIT. Once the link (in our case the link to a drive where the alleged journalist left questions for the political activist) was opened, the hacker through the deployed malware installed a persistent backdoor in the system. “The software connects to the domain name smartappsfoursix{.}xyz to download the rest of his software requirements. It downloads gpoupdater.exe and libcurl.dll which look responsible for uploading files to the command and control server. During the execution of the malware several (10) screenshots of the Desktop were uploaded to the server,” read the Qurium analysis.

Meanwhile, after taking over Gurbanli’s Facebook account, the hacker also deleted all of the content on at least seven of the community pages, where Gurbanli was an admin (screenshots below are from just two pages). 

Az-Net Watch previously documented attacks through phishing emails sent to civil society activists last year. At the time, an email impersonating a donor organization was sent to a group of activists encouraging them to apply for a Pegasus Grant. Preliminary forensic results carried out at the time indicated that the malware sent around in this email was similar to a phishing campaign from 2017, that was widely covered and reported by Amnesty International: “The victims and targets identified, as well as the political theme of bait documents, indicate that the campaign is largely targeting human rights activists, journalists, and dissidents. This campaign also aligns with findings by VirtualRoad.org in their report, “News Media Websites Attacked from Governmental Infrastructure in Azerbaijan”, which links some of the same network address blocks with “break-in attempts” and “denial of service attacks” against several independent media websites. “The malware that was observed is not sophisticated and is in some manner extremely crude. However, combined with social engineering attempts and an unprepared public, these tactics can remain effective against many targets.”

In another case, an online media outlet – ToplumTV – social media accounts were hacked by intercepting incoming SMS, set up as a two-step authentication method. This resulted in the removal of countless news posts as well as subscribers to the channel’s social media account. The media outlet was previously targeted in September and November 2021 – in both instances, the social media accounts were hacked by SMS interception.

Feminist activists also witnessed a surge in online phishing attacks and hacking attempts ahead of the International Women’s Day protest scheduled to take place on March 8, 2022. At least three activists received support to ensure online safety during this period. Similar attacks and targeting were documented last year. In addition to compromised accounts, some feminist activists have faced account impersonation. Most recently, activist Narmin Shahmarzade reported to Az-Net Watch, that a fake Instagram account impersonating the activist shared Sharmazade’s photos in the absence of her consent with inappropriate captions. Az-Net Watch is currently working with the platform to remove the fake account. 

Users of social media platforms, who posted critical of the government comments and posts, were also summoned to law- enforcement bodies where they were either forced to hand in their devices and passwords to their social media accounts or to delete their posts that were critical of the government. At least in 5 cases, activists and bloggers faced administrative arrests and interference with their social media accounts for their criticism online and activism. 

One of the most recently documented cases includes a blogger who was called into questioning after sharing a video on Facebook of the traffic police accepting a bribe. The blogger was forced to remove the video after the questioning at the police station. Aziz told Meydan TV that police threatened to keep him less he removed the video. After Aziz told the local media about the pressure from the police, the blogger was called back into the questioning together with his parents. 

In November, prominent lawyer, Elchin Sadigov said the law enforcement refused to return his mobile devices after the lawyer, would not share his passwords. Sadigov was arrested in September 2022 together with an editor of an independent outlet. In an interview with Meydan TV, Sadigov said, he considered demands that he shares his login credentials were a violation of privacy. 

Also in November, a member of D18 political movement, Afiaddin Mammadov, who was arrested on bogus charges and sentenced to 30 days in administrative detention said he was tortured by the local police officers after refusing to share his password to his device.

Other documented instances of social media users targeted over their online criticism this year include: 

In April, Meta released its pilot quarterly Adversarial Threat Report in which the platform said it identified “a hybrid network operated by the Ministry of the Internal Affairs.” According to the document, this network relied on, what Meta refers to as, “Coordinated Inauthentic Behavior [CIB]” in combination with cyber espionage, “compromising accounts and websites to post” on behalf of the Ministry. According to the report, these coordinated online cyberattacks targeted journalists, civil society activists, human rights defenders, and members of opposition parties and movements in Azerbaijan. The ministry’s press office was quick to dismiss the findings, saying the findings were fictitious. 

Azerbaijan was also among countries identified in Pegasus leaks targeting some 80 government critics among one thousand other Azerbaijanis identified in the targeting with Pegasus spyware. 

The attacks and support provided, in the course of the past year, illustrate that no matter how well-prepared political activists and members of civil society are in Azerbaijan, digital security awareness is insufficient in autocratic contexts like Azerbaijan. 

We also observed that existing legal remedies in the country are insufficient to find perpetrators behind such targeting and hold them to account. While in a few instances targeted community members filed official complaints, the investigative authorities showed reluctance in effectively investigating the incidents. 

This year, Az-Net Watch published this detailed report about litigating Pegasus in Azerbaijan in which together with a legal expert we conclude that existing national legislation concerning privacy and surveillance is insufficient, and is left to vague and often overt interpretation in the hands of law enforcement and prosecutor office. As such, Azerbaijan continues to systematically fail in providing effective legal remedies and sound investigations against state-sponsored digital attacks and surveillance. Moreover, despite evidence-based reports of targeted and coordinated cyber attacks against activists, the government thus far has not investigated and/or provided effective legal guarantees. And in all cases filed for investigations, nearly a year later after Pegasus spyware has been identified to be in use, the law enforcement authorities are yet to take formal investigative actions. 

In another report published this year together with a legal expert, Az-Net Watch identified serious gaps in data privacy protection mechanisms in Azerbaijan. Our analysis indicated that the national legislation on personal data protection does not effectively protect individuals against the arbitrary use of their personal data by both public and private entities. The analysis also indicated that the national laws restrict and control personal data with intrusive measures, such as equipping telecom networks with special devices, and real-time access to vast amounts of personal data, in the absence of a criminal investigation or judicial order. 

Conclusion 

These and other instances of digital threats and offline persecution for online activism illustrate that internet freedom in Azerbaijan continues to decline with no signs of abating. For yet another year, Azerbaijan was ranked “not free” in Freedom on the Net 2022 report released by Freedom House. In addition to scores of news websites currently blocked in the country (a practice observed since 2017), the state has also resorted to blocking or throttling access to social media platforms and communication applications in recent years. In September 2022 the state demonstrated its control over the internet by blocking access to TikTok on the grounds the platform was casting a shadow over military activities, revealing military secrets, and forming wrong public opinion. The blocking was carried out amid renewed military tensions between Armenia and Azerbaijan. Other users said they experienced issues accessing WhatsApp, Telegram, and slow internet connectivity speeds. Previously, during the second Karabakh war (in 2020), users in Azerbaijan faced internet restrictions as well. 

Civic activists in Azerbaijan express concern over state control of the internet at a time, when social media platforms, and independent as well as opposition online news sites have become the sole sources of alternative information accessible to the public outside of traditional media. 

The present environment is further exacerbated by the continued crackdown on civic activists as in the case of Bakhtiyar Hajiyev mentioned earlier in the report. In addition, a number of critical bills approved by the parliament this year, demonstrate a profound lack of interest on behalf of the state to ensure basic freedoms including freedom of the media and of association. As of February 2022, a restrictive new media law compels online media outlets to register with the government agency and has imposed a number of other critical requirements and criteria that critics say only serve the purpose of silencing independent journalists and news platforms. 

On December 16, 2022, the parliament also approved a critical bill on political parties, introducing a new set of exhaustive restrictions on political parties. 

As such, Azerbaijani civil society is facing a turbulent year ahead both offline and online in an environment dominated by state control on all forms of dissent leaving many wondering how far the state is willing to go to silence the critics. 

Litigating Pegasus in Azerbaijan: Addressing harms of the government-sponsored surveillance on civic groups in the absence of legal guarantees

Posted on by aiw_admin

In the following featured legal analysis, AIW looks at the litigation work carried out thus far in Azerbaijan on devices infected by Pegasus. Specifically, this legal analysis looks at how Pegasus spyware was deployed to monitor journalists, lawyers, and activists in Azerbaijan and the legal steps taken within the existing national legislative framework to mitigate the unlawfulness of the use of Pegasus against these groups and individuals.  

Background

Over the last few years, global-scale investigations carried out by international human rights organizations, investigative journalists, and/or whistleblowers have shown that the scale of the unlawful surveillance of individuals’ private lives through murky technology software has been pervasive, and widespread. Those findings also revealed the vulnerability of individuals’ fundamental rights and freedoms to private technology companies and the states deploying that technology for their personal interests.

This has certainly been the case in Azerbaijan, where platforms like Azerbaijan Internet Watch (AIW) and others, have documented government-sponsored surveillance and cyber espionage activities. Especially vulnerable are the social and political activists. Several human rights monitoring organizations note the increase in cyber attacks on these groups in recent years.

***

Since 2011, Freedom House analyzes the state of Internet freedom in Azerbaijan in its annual Freedom on the Net report. Until now, each report indicated continuing deterioration of internet freedoms in the country.

Increased interventions on the internet freedoms often constitute a violation of fundamental rights and freedoms stipulated in national and international human rights documents, as such making states obligated to provide effective legal protection and recovery mechanisms against such violations.

However, as documentation and reports from recent years indicate, Azerbaijan thus far, failed to provide effective legal guarantees in cases of privacy violations through cyber-attacks, illegal collection of personal data, wiretapping, and account compromise. Despite routine calls made to the Azerbaijani authorities to investigate and bring perpetrators of cyber-attacks to account, no steps have been taken.

As a result, Azerbaijan continues to systematically fail in providing effective legal remedies and sound investigations against state-sponsored digital attacks and surveillance. Moreover, despite evidence-based reports of targeted and coordinated cyber attacks against activists, the government thus far has not investigated and/or provided effective legal guarantees.

***

In July 2021, an international collaborative reporting initiative #PegasusProject documented how NSO Group, an Israeli surveillance company, sold Pegasus, a hacking software, to authoritarian regimes to target human rights activists, journalists, politicians, and lawyers among others worldwide. The investigation and the list were coordinated and obtained by the Paris-based journalism nonprofit Forbidden Stories and advised by Amnesty International Security Lab.

The investigation determined that Azerbaijan was among the top 10 countries deploying Pegasus spyware.

Organized Crime and Corruption Reporting Project (OCCRP), which was one of the partners in the global investigation, discovered that out of the 50,000 phone numbers that were leaked, 1000 were from Azerbaijan. OCCRP was able to identify 245 numbers and as a result, concluded that a fifth of these numbers belonged to journalists, lawyers, human rights and political activists, politicians, and their family members. OCCRP published a list of identified civil society activists whose devices were confirmed to have traces of Pegasus spyware.

***

Following the Pegasus Project leak, on July 22, 2021, on the National Press Day in Azerbaijan, journalists and human rights defenders gathered in a virtual round table discussion titled “New digital threats to critical voices” initiated by the Institute for Reporters’ Freedom and Safety. The group discussed the importance of protection mechanisms against such mass surveillance and stressed the need to join efforts and seek legal remedy through domestic and international courts. As such, an operative group of lawyers was assembled to develop applications and appeals to domestic authorities and the European Court of Human Rights (ECHR).

Since that meeting and at the time of writing this report a total of four groups were formed, led by different lawyers, representing in total of 62 applicants. It is worth noting that some victims hesitated to join these collective complaint groups due to safety concerns.

Complaints and lawsuits were lodged as early as August 2021. Lawyers and advocates representing all four groups, prepared complaints to the Prosecutor General’s Office of the Republic of Azerbaijan, claiming that their clients’ mobile devices were illegally infected by Pegasus spyware leading to violations of privacy, freedom of expression guaranteed under the national laws and European Convention on Human Rights, the right to effective remedies and the right not to be subjected to restrictions of Convention rights with improper motives or ulterior purposes (Article 18).

Applicants in the group of cases led by advocates and practicing lawyers requested the Prosecutor General’s Office to open a criminal investigation based on the evidence revealed as a result of the global investigation. Specifically, the lawyers noted that several articles of Azerbaijan’s Criminal Code – Article 156, “Violation of privacy”, 271, illegal access to a computer system, 272, illegal interception of computer data, and 302, “Violation of the legislation on operation-search activities”, were violated as a result of the committed criminal act.

According to Article 156 of the Criminal Code (“Violation of privacy”), actions that violate privacy are prohibited and are the basis for criminal liability. According to Article 156.1 of the Criminal Code, the distribution, sale, or giving to someone else, the illegal collection of information that is a secret of personal and family life, documents reflecting such information, video and photo recording materials, sound recordings, causes criminal liability. Article 156.1 of the Criminal Code aims to protect the information that constitutes the secret of personal life and is derived from the goal of protecting people’s constitutional right to privacy. The object of this crime is people’s personal life information.

According to Articles 271 (illegal access to a computer system) and 272 (illegal seizure of computer data) of the Criminal Code acts of deliberately entering a computer system or any part of it without the right to access it, by violating the security measures, or capturing computer data stored on a device, or with other personal intent are criminalized.

Article 302 of the Criminal Code (“Violation of the legislation on operation-search activities”) criminalizes unlawful measures by the persons authorized to carry out operational-search activities in the absence of the grounds established by legislation.

In all of the legal complaints submitted based on the list of violations mentioned in the paragraph above, the team of lawyers asserted that the findings of the Pegasus investigation, put their clients at risk of both secret surveillance and of having their communications data unlawfully intercepted by the authorities or third parties who own the software. None of the identified civil society representatives targeted by the spyware were under lawful investigation. As such lawyers demanded that the Prosecutor General’s Office of Azerbaijan launch a criminal investigation, including the possible role of the Azerbaijani law enforcement in the mass surveillance activities. The legal representatives of all clients said, the state is obligated to provide effective legal guarantees against the abuse of spyware tools against citizens as the latter may constitute unlawful interferences to the right to private life, freedom of expression, and in the case of failure to fully and duly investigate, violation of the right to an effective remedy.

Due to the lack of legal remedies in cases of severe privacy violations, within the Azerbaijani legislation, advocates and lawyers relied on Article 8 (right to respect for private and family life), Article 13 (right to an effective remedy), and Article 18 (Limitation on use of restrictions on rights) of the European Convention on Human Rights.

Between July 2021- July 2022, one of the advocates representing one of the four groups of applicants,  separately applied to the State Security Service [SSS], the Ministry of Internal Affairs [MIA], the Ministry of Digital Development and Transport [MDDT], as well as the Ombudsman office requesting an investigation, along with the Prosecutor General’s Office. None of the advocate’s appeals were successful. None of the institutions investigated the complaints or provided reasonable answers.

Overall, the lack of effective response on behalf of the law enforcement authorities, against complaints requesting to open a criminal investigation, indicates there were and still are significant flaws and delays in the investigation process, despite the evidence collected through forensic methodology by the international organizations. Nearly a year later, the law enforcement authorities are yet to take formal investigative actions, despite the complaints containing forensic evidence obtained from the examined mobile devices.

Court litigations

In all of the legal cases, the lawyers provided circumstantial evidence (contextual information) for how Pegasus infected the mobile devices of applicants. Specifically, the lawyers shared detailed information about the purpose of the Pegasus spyware and the potential state agencies that might use it. Relying on the existing national legislation the lawyers also established the legal grounds for using surveillance programs to intercept private communication or other private data from technological devices, including mobile phones.

Advocates representing the four groups submitted complaints to the local courts against the general prosecutor’s office for failing to explain why it sent lawyers’ Pegasus-related complaints to the State Security Services in the absence of justifications or notice. It was the responsibility of the General Prosecutor’s Office to investigate lawyers’ complaints, but instead, it sent them directly to State Security Services. This was unlawful and baseless. Yet, despite the unlawfulness of the act, the local courts did not satisfy these complaints and returned them without consideration (issued decisions in a similar text that they were considered inadmissible).

This explicitly demonstrates that the law enforcement authorities and domestic courts of Azerbaijan refused to effectively investigate the complaints and failed to provide any legitimate grounds for refusing the investigation in the first place.

One of the four groups involved in litigation procedure, includes activists, human rights defenders, journalists, and other public figures, who were previously subjected to different legal harassment by the government. Advocates and lawyers representing this group are demanding that the Prosecutor General’s Office investigate the possible role of the law enforcement authorities on the grounds that the use of spyware tools breached the defendants’ rights guaranteed under both the Constitution of Azerbaijan and the international treaties Azerbaijan is a party to. 

The complaint consists of the summary of the complaint itself, information about the applicant, and information on the use of Pegasus to track the defendants, including applicants’ claims and petitions based on the substantial and procedural grounds of the complaint.

In their fifteen-page complaint, the applicants referred to the findings of Pegasus investigations, alleging that their phones were tapped and infected with Pegasus. The complaint also stated that listening and monitoring of the complainant through the use of Pegasus violated Articles 32, “Right to inviolability of private life” and 47, “Freedom of thought and speech” of the Constitution of Azerbaijan, and Articles 8, 10 and 18 of the European Convention on Human Rights (ECHR) as the breach was politically motivated. Lawyers also claimed that the surveillance was in violation of Articles 18 and 19 of the UN International Covenant on Civil and Political Rights, as well as the jurisdiction of the Human Rights Committee on the implementation of that Covenant.

In addition, 11 petitions were attached by the lawyers, to the submitted complaints, requesting certain actions from the Prosecutor General’s Office that was necessary for an impartial and comprehensive investigation. These petitions included:

  • Obtaining testimonies of applicants;
  • Submitting official requests to Amnesty International Forensics team and the OCCRP for forensic investigation of identified devices;
  • requesting the Ministry of Internal Affairs and the State Security Service to obtain a list of persons who carried out the interception of the devices;
  • obtaining information on the purchasing of the spyware from the “NSO Group” company;
  • requesting information from the Ministry of Internal Affairs, the State Security Service, and the State Special Protection Service of the Republic of Azerbaijan about any relevant instructions on preventing human rights violations during the use of the Pegasus or similar programs;
  • obtaining information on whether the officials at the Ministry of Internal Affairs and the State Security Services, authorized to carry out an operation-search measure, were involved in training on legislation and human rights standards.

It was also noted that the applicants, were law-abiding citizens, engaged in public and political activities, and were not engaged in criminal activities. As such the targeting of these individuals with Pegasus, was politically motivated and criminal given the absence of any mandatory, investigative, or judicial acts, within the scope of the Code of Criminal Procedure (CPrC) Article 177.3.5, and as a result, the use of Pegasus on their devices was in violation of targeted users’ rights and freedoms.

According to Article 443.1 of the CPrC, investigative actions over mobile phones and other communication devices are usually carried out on the basis of a judicial act. In the cases where these investigative actions are carried out without a court decision, on the basis of the investigator’s reasoned decision, after the completion of the corresponding investigative action, the investigator must inform the court conducting the judicial control and the prosecutor conducting the procedural management of the preliminary investigation within 24 hours and verify the legality of the investigative action carried out within 48 hours.

According to Article 215.1 of the CPrC, it is mandatory to conduct a preliminary investigation in all criminal cases, except for the investigation conducted in the form of simplified pre-trial proceedings for crimes that do not cause a great public danger.

Moreover, when responding to the lawyers’ complaints, the Prosecutor General’s Office, determined that the applicants’ complaints had to be sent to the Investigative Directorate of the SSS. Which is contrary to Article 215 of the CPrC and was contested by the lawyers who submitted a complaint to a local district court. The lawyers argued that it was illegal and unreasonable for the General Prosecutor’s Office to forward the complaint to the SSS for further investigation without any justification. At the same time, the transfer of the pre-trial investigation to the SSS, which is (potentially) a party of interest in the case, violates the procedural rights of the applicant on the personal life and freedom of expression, as well as the right to the effective remedy provided by Article 13 of the ECHR (taken together with Articles 8 and 10), because SSS will not be able to carry out the work related to the alleged illegal actions of its employees in accordance with the principle of objective impartiality. In addition, there are no normative legal grounds that could demonstrate the objective independence of the Investigative General Department of the SSS from other structural divisions of the Security Service.

Explainer: Lawyers reasoned that Pegasus was provided to the police and security agencies. From this point of view, based on the circumstances of the case, there are sufficient grounds to assume that the listening and online monitoring of the complainant was carried out by an employee (colleagues) of the police and (or) security agencies. In such a case, the prosecutor’s office cannot hand over the case of the preliminary investigation to the investigative body of the institution that carried out such hearing and monitoring. Otherwise, such an investigation would be subject to a conflict of interest in the case. In this regard, the elimination of conflict of interest in the investigation of a criminal case is one of the requirements of the criminal procedural legislation. Summarizing the above, it becomes clear: a) referral of the complaint to the State Criminal Court is a violation of the investigative responsibility defined in Article 215.2 of the Criminal Procedure Code; b) referral of the complaint to the DTC contradicts the principle of conflict of interests contained in Article 1.1 of the CPrC; c) referral of the complaint to the DTC is a violation of the human rights of potential victims (interested persons) defined by Article 1.4 of the CPrC, in this case, the right to request an effective procedural investigation; d) the referral of the complaint to the State Prosecutor’s Office is a contradictory decision and gives the impression that legal proceedings have been initiated to listen and monitor the complainant, as well as this referral was carried out by the wrong structural unit of the General Prosecutor’s Office.

Responses of law enforcement authorities

The General Prosecutor’s Office’s response to complaints was to forward the complaints to the State Security Service (SSS) for further investigation, without informing the applicants and without providing any explanation for the reasons for doing so.

The SSS, in all four groups of cases, refused to give an official written answer to the applicants about the investigation of their complaints (although they are required to do so by law). Officials from SSS informed lawyers verbally, that SSS did not monitor the applicants through Pegasus and therefore no written responses would be given.

As a result, advocates representing all four groups filed lawsuits against the General Prosecutor’s Office and the SSS for inaction and refusal to launch a criminal investigation.

It was not until August 2022, that the SSS started to summon a number of civil society members and journalists (applicants) to obtain their testimonies in regard to allegations of the tracking of their phones by the Pegasus software. Reflecting on the delayed response, one of the targeted civil society activists, and the chairperson of Election Monitoring and Democracy Studies Center, Anar Mammadli, said this was simply a sign of lack of action. 

In their responses to some of these complaints, the General Prosecutor’s Office and the Ministry of Internal Affairs said it was not possible to conduct an investigation on the complaint. Moreover, in relation to some of the applicants, in their response, the General Prosecutor’s Office, said, “the information on the features of capturing and tracking personal secret information was not determined by means of the Pegasus spy program,” but stopped short of explaining how then the information was obtained if it was not through Pegasus.

Since the engagement of advocates in pursuing these cases in domestic courts, the proceedings in all four groups are pending at different instances. Only 15 applicants were sent to the Strasbourg Court thus far. Advocates are currently seeking to exhaust domestic remedies to apply to the ECHR in the remaining cases.

Conclusion and next steps in taking the Pegasus cases to the European Court of Human Rights

In addition to the Constitution and other national laws of the Republic of Azerbaijan, the right to privacy is recognized as an international human right in numerous international treaties to which Azerbaijan is a party. As a signatory of the European Convention on Human Rights and the International Covenant on Civil and Political Rights, Azerbaijan has binding obligations to protect rights to private life, including private communication and other private data, from infringements, including unlawful search-operation and surveillance activities of law enforcement authorities and any interference by third parties.

On September 20, 2009, Azerbaijan ratified the Council of Europe Convention of 1981 (Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No. 108) for the protection of personal data which also falls within the scope of private life as protected by Article 8 of the Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR) making its application in Azerbaijan compulsory.

The ECHR reiterates that any interference can only be justified under Article 8, paragraph 2, if it is in accordance with the law, pursues one or more of the legitimate aims to which paragraph 2 of Article 8 refers, and is necessary in a democratic society in order to achieve any such aim (see Kennedy v. the UK, paragraph 130). 

In the context of handling complaints related to Pegasus cases by Azerbaijan’s law enforcement agencies and courts, the lawyers demonstrated, that the applicants were subjected to interferences to their right to private life contrary to the adopted national and international human rights documents. The lawyers’ subsequent complaints were related to the law enforcement and judicial authorities’ refusal to investigate complaints about those interferences, including secret surveillance without providing any explanations and sound reasons.

In all four groups of Pegasus litigations, the secret surveillance of mobile devices had no basis in domestic law as none of the applicants were declared as suspects or accused persons in any criminal investigations.

The Strasbourg Court has delivered many rulings on the protection of privacy and personal data against government-sponsored surveillance or state responsibility to protect individuals from violence by third parties (Guide on Article 8 of the European Convention on Human Rights. Right to respect for private and family life, home, and correspondence. Updated on 31 August 2021. Para 107.) In order for surveillance to be in line with the Convention, certain legal safeguards should be provided both in legislation and practice, according to the case law of the ECHR.

Explainer: the law must be precise and clear as to the offences, activities and people subjected to surveillance, and must set out strict limits on its duration, as well as rules on the disclosure and destruction of surveillance data. Rigorous procedures should be in place to order the examination, use and storage of the data obtained, and those subjected to surveillance should be given a chance to exercise their right to an effective remedy. The bodies supervising the use of surveillance should be independent, and appointed by and accountable to parliament, rather than the executive.

At the moment, advocates and lawyers, are in the process of developing their clients’ applications to the ECHR alleging that the laws governing the matters of secret surveillance, as applied in practice, and also the refusal of the law enforcement authorities and courts to investigate allegations of surveillance, do not provide sufficient safeguards against arbitrary or abusive secret surveillance and/or accessing of private communications data. Lawyers also complained they had no effective remedy – domestically – in respect of those breaches which can be achieved through national legislation that strictly abides by the case law of the ECHR. The lawyers alleged that no effective remedy was available under Azerbaijani law and that SSS’s investigation could not be rendered effective since it is not an impartial and objective institution to review allegations of possible abuses and arbitrariness of its own officials. As regards the surveillance, a State could arguably be liable in respect of whatever system of surveillance without offering adequate and effective guarantees against abuse according to the well-established case law of ECHR.

According to Azerbaijan’s criminal law system, there are two judicial procedures that may be used by an individual wishing to complain about the acts of the investigative authorities:

  • complaint to supervisory-review and
  • judiciary (first and appeal court instances) under the CPrC.

However, as seen throughout the domestic litigation process in the course of the last year, the domestic courts stated clearly that the General Prosecutor’s Office forwarding the complaints to the SSS were not subject to judicial review, and the SSS’s lack of action was also not viewed as a sufficient ground to allow judiciary review. This makes it unacceptable that an individual cannot lodge such a complaint without having at least the concrete decision of the investigative authorities, which in fact, constitutes de-facto rejection to investigate the complaint containing allegation about a criminal act committed against him/her. In the absence of domestic remedies against potential surveillance measures under Azerbaijani law, an individual would hardly ever be able to have his/her right to effective remedies, respected and ensured. 

Explainer: In this connection, the case law of the ECHR notes that ‘In the sphere of secret surveillance, where abuses are potentially easy and could have harmful consequences for a democratic society as a whole, it is in principle desirable to entrust supervisory control to a judge, judicial oversight offering the best guarantees of independence, impartiality and a proper procedure (Roman Zakharov v. Russia [GC], § 233; İrfan Güzel v. Turkey, § 96).’ The absence at the national level of a judicial review of the law enforcement authorities reactions (inaction or refusal to investigate without a decision) to the complaints of individuals containing alleged unlawful surveillance and other infringements of the right to privacy excludes the state’s obligation to strike a fair balance between the competing public and private interests.

Therefore, Article 8 of the ECHR likely be found as violated without the opportunity for judicial review of the inaction of law enforcement authorities constituting de-facto rejection to investigate the complaint containing allegations of violation of the privacy of individuals as they had not benefitted from the minimum degree of protection against abuses and arbitrariness. According to the case law of the ECHR, the absence of a judicial review of the overall covert surveillance system which was entrusted solely to the state body which was directly involved in requests for the use of special surveillance means amounted to a violation of Article 13 in the light of Article 8 owing to the lack of an effective remedy (see: Association for European Integration and Human Rights and Ekimdzhiev v. Bulgaria, 2007, §§ 98-103).

As such these litigations expose that surveillance software not only harms individuals unlawfully targeted but also raises the question of insufficient legal guarantees in place to protect generally all individuals against possible unlawful surveillance and other kinds of privacy violations.

Finally, these litigations highlight the insufficient legal guarantees both in national legislation and practice, by creating significant legal precedent at ECHR, and by publicly uncovering and highlighting the inadequate national legislation which potentially can lead to gross human rights violations. Therefore, there is a greater need to challenge both national laws and the practice of state authorities’ system of secret surveillance, as the current system constitutes potential risks for interference with the rights of all users of telecommunication services guaranteed by the Convention and national laws.

exiled blogger continues to receive threats [updated June 15, 2022]

Posted on by aiw_admin

[Update June 15] On June 12, French police arrested two men suspected of being sent to France to kill Mirzali. According to RSF, the two men – one Azerbaijani and the second Moldovan of Turkish origin – “were driving Polish-registered cars, and both had Mirzali’s address.” 

Mirzali tweeted about the arrest too:

The blogger also said that the government of Azerbaijan has filed three separate lawsuits against him on June 3. Defiant, Mirzali vowed to continue his activism regardless of threats. 

[Update] On April 26, 2022, a French court arrested and charged four men who were behind the stabbing of Mirzali according to the personal account of the blogger shared with AIW. The four men are accused of attempted murder as part of an organized group.

[Update] On June 1, a new attack targeting Mirzali took place outside of his apartment in France. According to the blogger’s personal account, someone broke the windows of his car and left a note behind, that said, “This is for you.”

He continues to receive threats via messages sent to his phone. The most recent one Mirzali received during an interview with RFERL, said, “you should behave yourself when I’m around.”

A statement issued by Reporters Without Borders on June 4, said, “Reporters Without Borders (RSF) calls on Azerbaijani President Ilham Aliyev to put an immediate stop to all threats and violence against Mahammad Mirzali, an Azerbaijani video blogger who is a refugee in France. He was badly stabbed in an attack last March and continues to be threatened near his home for criticizing his country’s authoritarian leader.”

On March 30, exiled blogger Mahammad Mirzali shared screenshots of new threats he has been receiving from unknown numbers. In one message the sender says he has a new incriminating video of Mirzali’s sister. In another, the sender claims there is new material about members of the opposition Popular Front Party that he will be sharing shortly. Yet in another message, the sender claims to have intimate videos of Kemale Beneniyarli, the chairman of the women’s council of the Popular Front Party. In the same message, the sender offers an alternative link to a Telegram channel in case the first channel is removed.

On March 14, AIW reported that Azerbaijani blogger, Mahammad Mirzali was stabbed in the city of Nantes, France. Mirzali, runs a YouTube channel, Made in Azerbaijan. On March 14, Mirzali was attacked by a group of men and was hospitalized after receiving multiple stab wounds. According to Reporters Without Borders, Mirzali underwent surgery that lasted more than six hours.   

On March 21, while recovering at the hospital, Mirzali received yet another message on WhatsApp from a man named Andres Gragmel, “This is the last warning. We can kill you without any problem. You’ve seen that we’re not afraid of anyone (…) If you continue to insult our sisters, we’ll have you killed with a bullet to the head fired by a sniper.” 

Reporters Without Borders is asking to place Mirzali under police protection following the most recent and previous attacks [Mirzali was shot at in October 2020 as he was getting into his car.]

Threat messages and endless calls via WhatsApp from unknown numbers [often US numbers] are not new. Scores of activists in Azerbaijan have complained about this before. And Azerbaijani activists are not the only ones targeted this way. 

In May 2019, WhatsApp discovered that attackers were able to install surveillance software on both iPhones and Android phones by ringing up targets using the app’s phone call function reported FT. The surveillance software is developed by Israeli NSO Group. It transmits a malicious code even if owners of mobile devices do not answer the calls. It can also remotely and covertly extract valuable intelligence from mobile devices, by sharing all phone activity including communications and location data with the attacker once the device is infected. “In the past, human rights campaigners in the Middle East have received text messages over WhatsApp that contained links that would download Pegasus to their phones,” reported FT in May 2019. 

In October 2019, BBC reported about Faustin Rukundo, a Rwandan exile who lives in the UK, receiving a call from an unknown number on WhatsApp. When Rukondo answered, the line was silent, after that the phone went dead, reported the BBC. In Rukundo’s case, the dialed number had a country code for Sweden. He kept receiving calls from the exact same number as well as other numbers on WhatsApp. Eventually, he figured something was wrong. Then researchers at Citizen Lab confirmed that Rukundo was indeed targeted with Pegasus. 

The same month, WhatsApp “confirmed that the exploit (a software or command that leverages a specific software vulnerability in order to execute some unwanted code on the vulnerable device) was deployed by the Israeli-based surveillance tool vendor NSO Group. The exploit could deliver intrusive spyware on the target’s mobile device without the targeted person having to click on a malicious link. The targeted person would simply see a missed call on WhatsApp,” reported Amnesty International.

According to Amnesty the way the spyware worked was: 

  • The security vulnerability in question was in the code that Whatsapp uses to establish a new voice or video call. In order to exploit this, the digital attack initiated WhatsApp calls to the target’s device.
  • Attackers may have tried to exploit this issue by making calls multiple times during the night when the target was likely to be asleep and not notice these calls.
  • Successful infection of the target’s device may result in the app crashing. There is a possibility that the attacker may also remotely erase evidence of these calls from the device’s call logs.
  • Evidence of failed attacks may appear as missed calls from unknown numbers in your WhatsApp call log.

In January 2020, Nagpur-based human rights lawyer Nihalsing Rathod who has been receiving strange calls via WhatsApp over the last two years from international numbers was informed that his phone was infected. Rathod, just like Rukundo, answered these calls, only to receive silence on the other end of the line. 

According to Access Now, since 2016, some 46 countries were identified where NSO Group’s Pegasus has been in use. “Reports from Access NowCitizen Lab, and others all show that an alarming number of people targeted using Pegasus have been journalists, lawyers, and activists, whose only crime was speaking out against and reporting on the injustices in their home countries.”

Whether the same technology is being used to target Azerbaijan acvtivists is yet to be investigated. Although Azerbaijan has acquired sophisticated surveillance technology over the years, Pegasus was not one of them, not from the available information. But the resemblance of the nature of these calls and the target group, raise concerns.